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Aing;nd mcntS to the Q alms 

1 Claim 1 (cunentty amended): In a cotfiputixi® environment having a plurality of secure netw^^ ^ 

2 ppnnectiQns c o nnecliou Lu a uiMi^ o ik , a computer program product for securely propagating 

3 security credentials using a trusted master registry, the computer program product embodied on 

4 one or more computer-readable media and comiwising: 

5 compmcA '^ ixadabfe proe r ani code, meanj for c&Labli5hi»g a secure coiiaecti o n bctwi^ca j 

6 elicin Aud a password sypchro i il&a t i o n ag&nl (PSA), 

7 computer-readable program code means for receiving, at the PSA bv a password 

8 svnchromzation agent rPSA^n fiom auscrata [(the]] client device over [[the]] ajfirst secure 

9 connection between the client device an d the PSA on which the PSA has authenticated itself to 

1 0 t!Le_cheptdeyicg, a password propagation request providin p an identifier of [[a]] Ae user and an 

1 1 identifying secret of the us e r during p ro pagation request processing ; 

12 computer-readable program code means for validatina tlic uaci with the forwarding, bv 

13 j fo p. P^ A to a trusted master registry 03^ a second secure coimection therebetween on which the 

14 toistcd master registry has authenticated itself to the PSA, [[using]] the received user identifier 

1 5 and identifying secret, o n r equest of the P9A wherein theJrusted master registry stores 

16 identifying secrets for user identifrers only as secured, non-recoverable versions tfaereofi 

17 computer-gi^dable program code means for recetving, bv the PSA ftom th^ tnyiteA mfi^r 

18 registrv over the second connection ^a yalidation result created bv the trusted master registry 

15 regponsivc to the forwarding, the vali dation result being a successiul result if it indicates that ihe 

20 trusted master registry ha d previously stored, for the user identifier, a secured version of the 

21 identifying secret; and 
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22 




23 



2 4 PSA to one or more target registries if thfc v jliifation su c x ec tb over third mtituallv-authenticated 

25 s^ure CQtuigc^feops. each of the third connectiops being between the PSA and a distinc t one of the 

26 target registries, such that each larfjget r egistry can stpre. for the user ideix1ifier> a secured versioq 

27 of the identifying secret- wherein the secured version stored bv the target wastries is not req uired 

28 to be identical to the se cured versioti stored al the trusted master registry . 

Claims2 -3 (canceled) 

1 Claim 4 (currently amended): The computer program product according to Claim 1 , v^*erein the 

2 feusSed master registry stores password synchronization policy information, and wherein the 

3 computer-readable program code means for propagating t he receiv e d IdcnLifj/iiig s e cxcl further 

4 comprises computer-readable program code means for identifying the target registries using the 

5 stored password synchronization policy information for the user identifier , 

1 Claim 5 (currently amended) : The computer program product according to Claim 1 , wherein the 

2 fiHgted master registry stores password synchronization policy information, and wherein the 

3 computer-readable program code means for propagating the receiv e d idcnti^hig scci c t further 

4 comprises computer-readable program code means for identifying the target registries using the 

5 stored password synchronization policy information for a user gro^p of which the user identified 

6 bv the user identifier is a member 
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Claims 6-8 (canceled) 

1 Claim 9 (currently amended): The computer program product according to Claim 1 , wherein the 

2 prev^ouslY-stored secured version of identifvunz secret vwis created, at the trusted master 

3 les^tcy, by coniputci ' iuiJjbU pmgidiu code mccms fui -yrftdatm g fartliay cumpijws> 

^ eojnputancadabk piogram code means fo i- pe rfhrming a security ftmction on a 

5 previously-received copy of the receiv e d identifying secret of the user, wherein the secoiity 

6 function comprises one of (i) a one-way hashing algorithm or (ii) an encryption algorithm; 

^ coaipulLi"iejdjblt piugiam code meam foi miiig the ictci ved osu idmlifier to lucjUr a 

8 F^viuu>^lJ'Aten^d iduiOfying stua of the uM^i wliidj wai Muiui by iIk mas t er regist r y ra nd 
5 wl^ei:^^^ the security function is repeated, at the trusted master le gistrv, on the forwarded 

10 identifying secret of the user, after whi ch, if a result thereof is identical to the previouslv-stpied 

11 ggcured versiotL the trusted master t egistrv then creates the successful result &omputt. i *itj i tUhlft 

12 pvogi am uj Je means for eonduJiug (IaaI the vdlidat i on aulwaIa if LUc lutdled ld < mtif j mg «crct 

13 I S idcutiul to A itjult of pcffommig the sc^mi t y functiun . 

1 Claim 1 0 (currently amended): The computer program product according to Claim 1 , whensin 

2 the ij^dation result is created, at the tr usted msL<itP ^ teeistrv- bv e ft nipLit£.iMe.v<^hlii inu^vj m^^r^^ 

3 meam fui yaJidatiuig further comprises i : x ) mpu t cr^read ri? lc progi ' am code nreaus fo r i nvoking an 

4 authenticated LDAP bind or other native authentication mechanism of the trusted master registry, 

5 iJSffig wherein I fac rcccrved forwarded user identifier nf tl i e. n m i ji tiH t l i^ , l ; m J identifying 
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6 secret of the user._and wfaerein fee vaK dation result is created using a result of the LDAP bind ot 
^ other oativ e authetitica tion mecFymrwi ji tt . j p J l Wl ^ ux ii ip n^ ^ ^ v rg i ^ t ij^ tin r r hy ^mr ri n i rHTr 

8 mast&r icgi&Uj^ tu vAllOate the pas$< ! j i d cntifigi ' mX IJcuU^iug siccia wA re t ui ' ii a result whld) 

9 r e po rts a sticceag o r failmc of the valiJAli t DiL 

1 Claim 1 1 (original): The computer program product accoidtng to Claim 1, wherein the PSA has 

2 adtnitustcative authority for performing operations at the one or more taig^ registries. 

1 Claim 1 2 (currently am^ded): The computer program product according to Claim 1 , further 

2 comprising: 

3 computer-readable program code means ibr obtaining a new value from the user to be 

4 used as the prop^ated identiftang secret if the validation succeeds result is the successful result : 

5 and 

6 computer-readable program code means for substituting this new value for the received 

7 identifying secret prior to operation of the computer-readable program code means for 

8 propagating. 

1 Claim 1 3 (currently amended): A system for securely synchronizing security credentials using a 

2 trusted master registry, comprising: 

3 means f o r establishing a secure conacctiou between a clien t aud a passw o td 

4 synclironl&ation agent (rSA)^ 

5 means for receiving, a t th e PS A to^a password synchronizaticMi agent rPSA"^ ftom g 
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6 usCTata [[the]] client device over [[the]] a first secure comection between the client device and 

7 ftp PSA on yMch the PSA has authenl icaled itself to the client device, a passvwM-d propayalioi^ 

8 request pyovidiag an identifier of [[a]] tijs user and ati identilying secret of the usea-Aacing 

9 p rep agation re quest p ro ecssiflg; 

10 means for validatiim Mte uaer wi f l i fli e forwardinyr. bv the PSA tp a trusted master i^giBiry 

11 SYpy a second-secuie conaection there between on nrfuch the tinsted master re gistry ban 

1 2 3^dleqticaled.itself tp t&e PSA, [[uamg]] the received user identifier and identifying secret, cm 

13 icoucAt of UiL PSA wherein the tmste d master registry stores identifying secrets for user 

14 identifiers only as secured, non-recoverable versions thereof: 

15 means for teceivine. bv the PSA from the trusted master leastfv ovct the second 

16 c<ainection, a validation result created bv the trosted master registry responsive to the forwarding. 
1^ the validation result bei ng a successfiil result if it indicates that the trusted master leeistry had 

18 previously stored, for the user identifie r, a secured version of the identifirinp secret; and 

19 means for propagating^ if the validat ion resnlt is the successfiil result the recrivpH h^pt 

20 ideptifier and Identifying se cia of U ic ujei - dLtu^Uj' &om the PSA to one or more target registries 

21 if t he valida t i o n succeeds over third m utuallv-autfaenticated secure connections, each of the thiiri 

22 .Qflpncgtioqs being between the PSA and a distinct one of the taryet registries, sach Ifaat each 

23 taroct reeistiv can store, for the tlsct identifier, a secured versjon of the ide ntifVinp ssecret, 

24 wherein the secured version stored hv t he target repistries is not required to be identica] to the 

25 secured version stored at the tra sted mast er registry. 

Claims 14-15 (canceled) 
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1 Claim 16 (currently amended): The system according to Claim 1 3, wherein the trusted master 

2 registry stores password synchronization policy information, and wtiejeia the means for 

3 propagating die receiv e d iden ti ^nng secret further comprises means for jdentiUfying the target 

4 registries using the stored password synchronisation policy information for the user idraftifier . 

1 Claim 1 7 (currently amended): The system according to Claim 13» wherein the trusted master 

2 registiy stores password synchronization policy information, and wiieiein the means for 

3 propagating the r eceived identij^ing se tA Ct further comprises means for identifying the target 

4 registries using the stored password synchronization policy information for a user group of which 

5 the user identified bv the ti^gr identifier is a member* 

Claims 18 - 20 (canceled) 

1 Claim 21 (currentfy amended): The system according to Cl^ 1 3, wherein the previously-stored 

2 secured version of the i d entifying secret was created^ at the trusted master registry, bv means fer 

3 validaiittg further comprises: 

4 means for performing a security fimction on a nreviousjy^cceived coov of the iccuvi:d 

5 identifying secret of the user, wherein the security function comprises one of (i) a one-way 

6 hashing algorithm or (ii) an enciyption algorithm; 

7 means fo r using the Acceivcd user identifier to l o cate ap i cvi o usly-gt o red iden t ifying 

8 seciet uf Uic user which mas st o red by tl ie ijjas t c r registiy, m d 

Serial No, 09/613,983 -8- Docket RSW9-2000-0044-US1 



PAGE10/25*RCVDAT4/11/20()5 2:51:42PM [Eastern Daylight TimeJ^SVR^ 



04/11/2005 13:52 4073437587 



FAX 



PAGE 11 



9 wfaerrin the security fa nction is repeated at the tnisted master registry, on the forwarded 

10 identifving secret of the user, after Mv ^ciL if a ttisult thereof is identical to the previouslv^gtored 

H secured version, the t rusted mas ter re gistry then creates the successful result mcam for 

12 coneludiuB^hat tlie validation succtiuik if die located idt^iitifjilue &turet ia identical to aicsuJt of 

13 pcrf or miiig Hit &ccmi t y fmictron . 

1 Claim 22 (currently amended): The system according to Claim 13, wherein the validation result 

2 is created, at the trusted master legistrv. ^ ymfat wfn r ^j i iuiinhnj ri i Mi ii ■ . ii P . ip- m ^ y mrffyr 

3 invoking an authenticated LDAP bind or other native authentication mechanism of the trusted 

4 master registiy. using the forwarded user wheidn tl^c received i dentifier ofthenscrandihe 

5 rccctvedndcntifying secret of the use r, and wherein the validation jcsult is created using a result 

6 oflhe LDAP bind or other native a u thcnticatiop mechanigm An ' ^ak^ a wm jy w*p y 

7 tlieieb> cau&ing tlie maAtcr jegiAUy tu validate Uhl parsed idenUfie r and identifjilng acciut aiiJ 

8 ftt t ara a itAul t w l ijch xcports a suiux&s or failu re o f the validatioa . 

1 Claim 23 (original): The system according to Claim 1 3, wherein the PSA has admtnistrmive 

2 authority for performitig operations at the one or more target registries. 

1 Clahn 24 (cunendy amended): The system according to Claim 13, further comprising: 

2 means for obtaining a new value from the user to be used as the propagated identi^^dng 

3 secret if the validation succeeds result is the_successful result : and 

4 means for substituting tiiis new value for the received identifying secret prior to operation 
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5 of the means for pi^agating. 

1 Ckdm 25 (ctirraitly amended): A compUtc Hmplemented method fitr scy.iirely pmpagating 

2 security credentials using a trusted master registry, comprising steps of: 

3 cgtabli s hing a s e cm ' e connection be t w ee n a client and a pagsw or d jyiichroniTati o i ragent 

4 <FSA)j 

5 receiving, by a t>assw< ;i)r<^ 5rynr^hmnf ra tion agent TTS A^^ at the PSAfl iom a user at a 

6 [[tbe]] client device over [[the]] a first secure connection between the client device and the f SA 

7 on which the PSA has authenticated itself to the cKent device, a nasswoid ptopagation request 

8 pgpcttiding an identifier of [[a]] ^ user and an identifying secret of the user dtmog p r opaga fcron 

9 request yiucc&Mug, 

10 forwarding , by the PSA to a validatmg the iiAc r with the tn isted master registfy aygrft 

11 j^iiond secure connection dierebetw een on wfaich^the trusted master registry has authenticated 

12 itself to the PSA, f(u$ing]] the received user identifier and identifying secret, o nreque^t of ihc 

13 PSA wherein the trusted master registry stores identifying secrets for user identifiers only as 

14 secure, non-recoyerable versions thereof: 

15 leceivmg. bv the PSA from the trusted master registry over the second connection, a 

16 validation result created by the trusted master repistrv responsive to the forwardtn|g. the 

17 MLd^on result being a successful result if it indicates that the trusted master registry had 

18 previously stored for the user identifier, a secured version of the idejtrtifidng secret: and 

19 PTQpaBating. if the validation result ia t he successful result, the received user identifier 
2 0 fflid identifying secret of the user dkc^i.Uy from the PSA to one or more target registries if th e 
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21 validation succee ds over third mutuaUv-authcdticated secme connections, each of the thiid 

22 connections being betwe en the PSA and a distinct one of the tmeet registries, such that each 

23 tareet registry can store, far the user identifier, a secured version of the identifying secret . 

Claims 26 - 27 (canceled) 

1 Claim 28 (currently amended): The method according to Claim 25, vvhercin the trusted master 

2 registry stores password synchronization policy infomiation, and wherein the s t ep of propagating 

3 stgB the fe> : x.ivc4i iden t i i ^ng «ci e t further comprises the step of identifying the target registries 

4 using the stored password synchronization policy information for the user ^dentifigr 

1 Claim 29 (currently amended): The method accordmg to Claim 25, wherein the trusted master 

2 registry stores password synchronization policy informatiott, and vdierein the s t ep o f p r opagating 

3 SteE the received iden t i f ying s c c rctfiiither comprises the step of identifying the target registries 

4 using the stored password synchronization policy information for a user group of which the user 

5 identified bv the user identifier is a member. 

Claims 30 - 32 (canceled) 

1 Claim 33 (currently amended): The method according to Claim 25, wherein the previouslv- 

2 stored gecttf ed versjog of the identifying secret was created, at the trusted master rejzistrv. bv step 

3 o f validating f urther c o m p rises: 
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4 perfonning a security function on a Dfeviouslv-received copy of the reeciv&d identifying 

5 secret of the user, wherein the security function comprises one of (t) a one-way hashing algorithm 

6 or (ii) an encryption algorithm; 

7 tts i ng th e l e ccivcd user iden t ifie r t o locate a pievi o usly ^ s t oi ' ed ideAilifying secret o f tftc 

8 ti s ci wLicli was stoi c ed by the maatcr registiy; - a nd 

9 wherein the security function is repeated , at the trusted master registry, on the forwarded 

1 0 eencluding ihatthc validation »uua^ If die luuitul i denti^g secret of the user, after vMch. jj f 

1 1 a ye^ult thereof is identical to the previously-stored secu red version, the trusted master registry 

12 then createsjhcsuccessfiil [[a]] result o f pe rfe rmingfee securi t y function, 

1 Claim 34 (currently amended): The method accordmg to Qaim 25, wherein the validation result 

2 ig created, at the tmsted m aster registry, bv step of t jdiilAliiia fii rt hfti i^ i nt| >w ? ^p ^ rini i p i . r 

3 invoking an authenticated LDAP hind or other native authentication mechanism of the tmsted 

4 master registry* using the f brwaided user wherein the r eceived i dentifier o f the usei - and the 

5 received identifying secret of the use r, and wherein the validation result is created using a result 
^ of the I,PAP bind or ot her native authentication n j ^g^hnm^im a h. .i .t,, !. , r yj^nj - 

^cicbji uniting the master icgiAii^ lu v;didalc Oil pj3wi Idcnlifiu aii J iJtnlifynig secret and 

8 re t urn a lesult Ti hieh repoiiA a sutcej ; ^ oji failuie of flxt v jdldaduii . 

1 Claim 35 (original): The method according to Claim 25, wherein the PSA has administrative 

2 authority for performing operations at the one or more target legistries. 
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1 Claim 36 (currently amended): The method according to Claim 25, further comprising steps of: 

2 obtaining a new value fiom flic user to be used as the propagated identifying secret if the 

3 validatioo succeeds result is the successful result: and 

4 substituting [[this]] ^ new value for the received identifying secret prior to operation of 

5 the propagating step. 

1 Claim 37 (new): The method according to Claim 25, wherein the forwarding and receiving steps 

2 use secure interprocess communications between the PSA and the trusted master registry instead 

3 of the second connecdon. 

1 Claim 38 (new): The method according to Claim 25, wherein the secured version stored by the 

2 target re^striw is not required to be identical to the secured version stored at the trusted master 

3 registzy. 
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